Login using roles in ASP.NET

Question

0.00/5 (No votes)

See more:

hey guys i have developed a website
i have to users (Admin and users) also i have two database tables namely(tableUsers,tableAdmins) so what i want is that to check whether the currently logged in user is admin or student and redirect to thier own correspondent pages like (for admin admin/admin.aspx,
for user home.aspx)
thank u..

What I have tried:

just tried to login in but only users can login

C#

string s = ConfigurationManager.ConnectionStrings["RegistrationConnectionString2"].ConnectionString;

protected void LoginButton_Click1(object sender, EventArgs e) {

    if (Page.IsValid) {

        using (SqlConnection con = new SqlConnection(s)) {
            SqlCommand cmd = new SqlCommand("spUserlogin", con);
            cmd.CommandType = CommandType.StoredProcedure;
            cmd.Parameters.AddWithValue("@username", TextBoxUsername.Text);
            cmd.Parameters.AddWithValue("@password", TextBoxPassword.Text);

            SqlCommand cmd1 = new SqlCommand("spAdminlogin");
            cmd1.CommandType = CommandType.StoredProcedure;

            try {
                con.Open();
                int value = (int)cmd.ExecuteScalar();
                if (value == 1) {

                    if (CheckBox1.Checked) {
                        HttpCookie user = new HttpCookie("user_cookies");       //creating cookie object where user_cookies is cookie name
                        user["New"] = TextBoxUsername.Text;             //cookie content
                        user.Expires = DateTime.Now.AddYears(3);            // give the time/duration of cookie
                        Response.Cookies.Add(user);                     // it gives the response in browser
                    }
                    else {
                        Session["New"] = TextBoxUsername.Text;
                    }
                    Response.Redirect("home.aspx");
                }
                else {
                    Label_Login.Visible = true;
                    Label_Login.Text = "Use Correct username and password";

                }

            }

            catch (Exception ex) {
                labelError.Visible = true;
                labelError.Text = "Something went wrong! Contact your devloper " + ex.Message;
            }
        }
    }

}

Posted 28-Dec-18 6:29am

AhmedHosny96

Updated 28-Dec-18 11:19am

MadMyche

v2

Add a Solution

Comments

MadMyche 28-Dec-18 12:39pm

Could you add some code so we can see what you tried and have an idea on what we are working with?

AhmedHosny96 28-Dec-18 12:51pm

yeah here is my login.aspx page behind code
string s = ConfigurationManager.ConnectionStrings["RegistrationConnectionString2"].ConnectionString;

protected void LoginButton_Click1(object sender, EventArgs e)
{

if (Page.IsValid)
{

using (SqlConnection con = new SqlConnection(s))
{
SqlCommand cmd = new SqlCommand("spUserlogin", con);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@username", TextBoxUsername.Text);
cmd.Parameters.AddWithValue("@password", TextBoxPassword.Text);

SqlCommand cmd1 = new SqlCommand("spAdminlogin");
cmd1.CommandType = CommandType.StoredProcedure;

try

{
con.Open();
int value = (int)cmd.ExecuteScalar();
if (value == 1)
{

if (CheckBox1.Checked)
{
HttpCookie user = new HttpCookie("user_cookies"); //creating cookie object where user_cookies is cookie name
user["New"] = TextBoxUsername.Text; // cookie content
user.Expires = DateTime.Now.AddYears(3); // give the time/duration of cookie
Response.Cookies.Add(user); // it gives the response in browser
}
else
{
Session["New"] = TextBoxUsername.Text;
}
Response.Redirect("home.aspx");
}
else
{
Label_Login.Visible = true;
Label_Login.Text = "Use Correct username and password";

}

}

catch (Exception ex)
{
labelError.Visible = true;
labelError.Text = "Something went wrong! Contact your devloper " + ex.Message;
}
}
}

}
}

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

MadMyche · Answer 1 · 2018-12-28T11:18:00

The quick and ugly thing to do would be to alter the Stored Procedure you are calling and have it reference the second table, and return something useful to differentiate if they were found in the User or Admin table.

I neither recommend nor condone this though, and I have a slew of recommendations and/or concerns.

You should have one table for all users to login against. That table should either have a column to specify a user-type(eg Role, IsAdmin) or be referenced by another table(s) for roles/permissions.

You are passing in the password into your stored procedure in plain text. Is the password in the table plain-text as well? Is the connection to the DB server encrypted?
If any of these are true, I would recommend bumping up the security... There is plenty of examples for routines such as BCrypt.

Right now it looks like your Stored Procedure is only returning an integer value of 1 which looks like it means they are allowed in. You could alter the procedure to signifify not only if they passed authentication, but what their role is. If they are in what is now the user table, keep returning 1 and follow the current path. But if they were in what is now the Admin table, return a 2 and make a new path for creating their cookie and send them the Admin.aspx page.

I will give you kudos as well- on authentication failure it does not specify if the username or password was wrong, just that they weren't right.